raptor’s Integer Overflow No. 1

raptor made some really interesting challenges a couple of years ago, I decided to start discussing them. I’m starting from integer overflows since they are probably the most easy to understand. So, here is the first one:

It is really simple, we control both the index (slot) and the value. Also, as you already know, integers are 4 bytes on 32bit CPUs and addresses are also 4 bytes. This means that we can overflow the index to point to the location of the stored EIP register (ret) and replace this address with the address of our shellcode to gain control over the execution flow. To make the achievement even more interesting I’m going to compile this as a SUID root binary. So, the final version is this:

Now the last important milestone is the return address calculation. I think that the most efficient and straightforward for this kind of bugs method would be the exact stack address calculation introduced by Netric. You know the classic: 0xbffffffa – strlen(file) – strlen(shellcode); At last, we have to find where ret is, this is really simple…

@anderson: In an integer array overflow you have control over the index value which means that you can make the array access an invalid memory location. On the other hand, an integer overflow is simply an integer variable that incorrectly overflows and wraps around zero. An integer overflow doesn’t always lead to invalid memory access. For example, consider an integer used as a counter which is overflowed. I hope my answer helped you.